← Wabi

Security

Three things to know:

  • We encrypt your data: your holdings, accounts, and broker connections.
  • We never have your brokerage credentials, so we can't access your accounts.
  • The connection is read-only, so we can't trade, move, or withdraw your money.

1. We never store a password

You sign in with your Google account or a one-time code sent to your email, so there's no Wabi password to leak or steal. If you use Google, securing it with two-factor authentication protects your Wabi account the same way.

2. We can't touch your accounts

We never have the credentials to any brokerage you connect. You sign in through the brokerage's own portal (via SnapTrade), never through us, so we never see or store them.

The connection is read-only. We can see your balances and holdings to show you your portfolio, and nothing more. We can't place trades, move money, or make withdrawals.

3. Your data is encrypted

Everything is encrypted on the way to us (TLS) and while it's stored (AES-256). The most sensitive parts, like your broker connection and account details, get an extra layer of encryption before they're saved, so they're never readable, even by us.

4. Don't take our word for it

You can check our security yourself. These are live, public scans and the partners we rely on.

SSL Labs TLS ScanReport

Verifies our Transport Layer Security (TLS) configuration is hardened against active intercepts and downgrade attacks.

View live TLS scan
Mozilla ObservatoryReport

Measures implementation of essential security headers including Content Security Policy, HSTS, and X-Frame-Options.

View Mozilla report
Security HeadersA Grade

An independent scanner assessing standard web defensive headers to protect visitors against cross-site script injections.

View security audit
Hardenize AuditVerified

Extends past TLS to verify broad network hygiene: DNSSEC, CAA record compliance, DMARC alignment, and MTA-STS mail safety.

View Hardenize profile
HSTS Preload ListActive

Confirms our domain is hardcoded in Chrome, Safari, and Firefox as HTTPS-only, eliminating any chance of man-in-the-middle SSL stripping.

View preload status
RFC 9116 Security.txtPublished

Active publication of standard vulnerability disclosure contact credentials at bewabi.co/.well-known/security.txt.

Read security.txt

Verified Infrastructure Partners

SnapTradeBrokerage connection using SnapTrade

Wabi utilizes SnapTrade as our official API bridge to brokerages. This integration is zero-custody: credentials and authentication flow strictly through SnapTrade's secured portals. Wabi never accesses, records, or stores your primary account keys.

StripeBilling using Stripe

All transactional billing and subscription records operate on Stripe. Credit card and banking transactions are managed exclusively via Stripe Checkout and Elements under PCI-DSS SAQ-A compliancy. Card details never touch Wabi's servers.

5. Found a security issue?

If you spot a vulnerability, please tell us. Email hello@bewabi.co or see /.well-known/security.txt. We'll respond quickly to investigate and fix it.

Cookie settings

Essential cookies keep sign-in and session security working. Optional telemetry helps us maintain the service. Read more in Privacy.